IPsec and SNAT

最新推荐文章于 2024-09-18 15:04:28 发布

最新推荐文章于 2024-09-18 15:04:28 发布 · 84 阅读

文章标签：

本文介绍如何在使用IP伪装或NAT时，避免将要隧道传输的数据包被修改。通过修改NAT规则或使用特定策略匹配来实现这一目标，确保IPSec隧道正常工作。

Do not MASQ or NAT packets to be tunneled
If you are using IP masquerade or Network Address Translation (NAT) on either gateway, you must now exempt the packets you wish to tunnel from this treatment. For example, if you have a rule like:

# iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

change it to something like:

# iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/24 -d ! 172.16.0.0/24 -j MASQUERADE

or use passthrough rule
# iptables -t nat -I POSTROUTING 1 -o eth0 -s 10.0.0.0/24 -d 172.16.0.0/24 -j RETURN/ACCEPT

or use policy matching !

with iptables 1.3.5 and a Linux kernel > 2.6.15, IPsec policy matching developed by Patrick McHardy was introduced into Linux Netfilter, changing the behaviour of NAT rules in regard to IPsec tunnels. If you e.g. have a general NAT rule for mapping internal addresses to the external interface and want to exempt tunneled traffic from NAT then you must insert an IPsec policy matching rule in front of the SNAT or MASQUERADE rule in the POSTROUTING chain. This is what I'm doing on my productive system:

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir in pol ipsec mode tunnel

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir out pol ipsec mode tunnel
MASQUERADE all -- 10.0.0.0/24 anywhere

# iptables -t nat -I PREROUTING -m policy --dir out \
--pol ipsec --mode tunnel -j ACCEPT

# iptables -t nat -I POSTROUTING -m policy --dir in \
--pol ipsec --mode tunnel -j ACCEPT

This may be necessary on both gateways.

get xt_policy's help info

# iptables -m policy --help